In a Google security blog post on Thursday, Google disclosed data from its annual review of its bug bounty program, or VRP. The full year 2021 allocation has grown to $8.7 million to reward thousands of bug report submitters for Google products, compared to $6.7 million for full year 2020.
Of this, $3 million was used for Android bug reports, $3.3 million for Chrome browser bug reports, $500,000 for Play Store bugs, and $313,000 for Google Cloud.
In addition, a total of 696 researchers received Google’s bug bounty last year, with a maximum of $157,000, which is related to the Android exploit chain.
Sadly, no one has yet been able to claim the $1.5 million bounty for breaking the Pixel smartphone’s Titan M security chip.
For reference, Microsoft noted in a July 2021 report that the company awarded bug submitters $13.6 million in bounties for 1,261 bugs that went to work between July 1, 2020 and June 30, 2021.
Google says 2021 is a successful year for the VRP project. Because the company not only handed out record bonuses, but also launched new programs.
The first is the creation of the Google Bug Hunters portal, where security researchers can see community leaderboards.
Second is the dedicated Android Chipset Security Rewards Program (ACSRP). As a collaborative project with several smartphone manufacturers, ACSRP attracted more than 220 valid and unique reports in its first year and awarded $296,000 in awards.
Finally, Google released the statistics of its own internal search team, Project Zero. Its time to patch security vulnerabilities has improved, typically within 52 days (down from 80 days three years ago).